Enhancing Digital Resilience in the Financial Sector: DORA and the Role of SES

In a digital age where data security and business continuity are paramount, the EU's proposed Digital Operational Resilience Act (DORA) represents a significant step forward. This legislation seeks to harmonise and strengthen ICT resilience within the financial sector and its associated entities, encompassing third-party IT service providers. DORA outlines requirements on ICT risk management, third-party lifecycle management, and ICT-related incident reporting.

Among the many considerations of this new regulation, one that stands out is the 'Management of ICT Third-Party Risk.' Companies in the financial sector rely heavily on third-party IT services, and under DORA, these relationships need careful management. In such a context, software escrow services, like those provided by SES, can be a crucial tool.

Understanding Software Escrow and SES

Software escrow is a three-party agreement between a software developer (the depositor), their customer (the beneficiary), and an escrow agent (SES). In this arrangement, the software source code, data, and deployment method is deposited with SES. SES will undertake a series of tests to ensure the deposit is accurate and deployable independently of the developer to prove a successful release process.  If the developer cannot or will not support the software — due to insolvency or a breach of license, SES will implement the release, ensuring continuity of operations.

SES, a renowned software escrow company, offers comprehensive escrow solutions, thereby enhancing the security and resilience of your software applications and data.

DORA and SES: A Harmonious Intersection

In the context of DORA, SES can provide significant value to financial sector entities and their third-party IT service providers. By employing software escrow services, these entities can demonstrate robust risk management protocols for their critical software applications and data.

1. Risk Management: SES’s software escrow services help mitigate the risk of software unavailability due to developer failure. This falls in line with DORA's emphasis on 'protection and prevention' and 'learning and evolving' as part of ICT risk management.
2. Operational Resilience: With the source code, data, and replicated environment tested and securely held by SES, financial entities can ensure business continuity, even in the event of a third-party IT service provider failure. This is in line with DORA's requirement for 'digital operational resilience testing'.
3. Third-Party Risk Management: By insisting that their IT service providers use software escrow services like SES, financial entities can ensure better control over third-party risks. This is in accordance with DORA's mandate for 'Management of ICT Third-Party Risk.'

Looking Ahead

With the finalisation of DORA completed in 2023, financial entities and their third-party service providers need to be proactive in implementing measures to ensure compliance. SES, through its robust software escrow and continuity services, provides an effective solution for managing third-party software risk and maintaining operational resilience — core tenets of DORA.

Leveraging software escrow services not only demonstrates compliance with the evolving regulatory landscape but also instils confidence among stakeholders regarding the entity's commitment to digital resilience.